Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-5739

Subject not populated with groups/roles when authenticated via JASPIC

    Details

      Description

      After having authenticated via JASPIC, requesting the current Subject via JACC and then using that for permission checks fails.

      For instance the following code will always set hasAccess to false given that "/protected/*" requires a role and the authenticated user is in that role:

      Subject subject = (Subject) PolicyContext.getContext("javax.security.auth.Subject.container");
       
      boolean hasAccess = Policy.getPolicy().implies(
          new ProtectionDomain(
              new CodeSource(null, (Certificate[]) null),
              null, null, 
              subject.getPrincipals().toArray(new Principal[subject.getPrincipals().size()])
          ),
          new WebResourcePermission("/protected/Servlet", "GET"))
      ;
      

      As it appears, the problem originates from the fact that subject.getPrincipals() does not contain the roles.

      This can be traced back to org.jboss.security.auth.callback.JASPICallbackHandler.handleCallBack, where it becomes clear that the roles are only put into the "util", but not in the "authenticatedSubject":

      String[] rolesArray = groupPrincipalCallback.getGroups();
      int sizeOfRoles = rolesArray != null ? rolesArray.length : 0;
       
      if( sizeOfRoles > 0 )
      {
        List<Role> rolesList = new ArrayList<Role>();
        for( int i = 0; i < sizeOfRoles ; i++ )
        {
           Role role = new SimpleRole( rolesArray[ i ] );
           rolesList.add( role );
        }
        RoleGroup roles = new SimpleRoleGroup( SecurityConstants.ROLES_IDENTIFIER, rolesList );
       
        // if the current security context already has roles, we merge them with the incoming roles.
        RoleGroup currentRoles = currentSC.getUtil().getRoles();
       
        // *** ROLES ARE ONLY SET HERE ***
        if (currentRoles != null) {
            currentRoles.addAll(roles.getRoles());
        }
        else {
            currentSC.getUtil().setRoles( roles );
        }
      } 
       
      // *** BELOW THIS LINE ROLES ARE NOT REFERENCED ANYMORE
      // *** SUBJECT IS NOT POPULATED WITH ANY ROLE INFO 
       
      Subject subject = groupPrincipalCallback.getSubject();
      if( subject != null )
      {
         // if the current security context already has an associated subject, we merge it with the incoming subject.
         Subject currentSubject = currentSC.getSubjectInfo().getAuthenticatedSubject();
         if (currentSubject != null) {
             subject.getPrincipals().addAll(currentSubject.getPrincipals());
             subject.getPublicCredentials().addAll(currentSubject.getPublicCredentials());
             subject.getPrivateCredentials().addAll(currentSubject.getPrivateCredentials());
         }
         currentSC.getSubjectInfo().setAuthenticatedSubject(subject);
      }
      

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  dlofthouse Darran Lofthouse
                  Reporter:
                  arjant Arjan t
                • Votes:
                  1 Vote for this issue
                  Watchers:
                  5 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: